RE: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London Chapter meeting on WAF (Web Application Firewalls)

["Darren Webb" <spyder007 () charter net>]

Dean,

Do you know if he had WebInspect setup correctly?  I believe any tool is
only as good as the user.  I can recall several instances in the company
that I work for of "web assessments" that were nothing more than plugging in
the IP or URL, pushing the big green GO button and printing out the report.
No tool looks good in this light.

Note: I don't work for them but I do use this tool.  Cenzic Hailstorm finds
both Auth Bypass as well as Blind SQL injection on HacmeBank V1 and recently
released V2.

Darren

-----Original Message-----
From: Dean H. Saxe [mailto:dean () fullfrontalnerdity com] 
Sent: Friday, May 05, 2006 11:38 AM
To: Patrick Wolf
Cc: Bill McGee (bam); MindsX; Dinis Cruz; webappsec () securityfocus com
Security; websecurity () webappsec org
Subject: Re: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp-London
Chapter meeting on WAF (Web Application Firewalls)

How do you address the fact that the application scanners still miss a
majority of bugs?  I was at a client site yesterday when he told me about
pointing WebInspect at HacmeBank from Foundstone (disclaimer: I work for
Foundstone).  WI didn't even find the most simple case of SQL injection on
the homepage.  How well do you think it does on a moderately secure
application, instead of one designed with numerous easy to exploit flaws?

-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"What difference does it make to the dead,  the orphans, and the homeless,
whether the  mad destruction is wrought under the name of totalitarianism or
the holy name of  liberty and democracy? "
     --Gandhi

Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd/


On May 3, 2006, at 9:17 PM, Patrick Wolf wrote:

> Regarding independent security verifications of the products 
> themselves, several WAF vendors created an ICSA Premier Services 
> certification for WAF to specifically answer this question. Part of 
> this certification was a full audit of the management console as well.
>
> Here is the lab report for F5's TrafficShield:
>
> https://www.icsalabs.com/icsa/docs/html/communities/services/
> Lab_Reports/F5_Certification_Final_Report.PDF
>
> F5 also contracted Aspect Security last year to test the security 
> provided by TrafficShield vis-à-vis the OWASP Top Ten. That report can 
> be found here:
>
> http://www.f5.com/reports/Aspect_F5_TrafficShield_Summary_Report.pdf
>
> I should also point out that it is our standard QA practice to test 
> our UI with an application scanner.
>
>
> Patrick Wolf  |  Product Manager
> F5 Networks www.f5.com
> P 408-273-4859  D 206.272.5556
> D 408-273-4859  M 408-390-9400
>
>
> ________________________________________
> From: Bill McGee (bam) [mailto:bam () cisco com]
> Sent: Monday, May 01, 2006 7:56 AM
> To: MindsX; Dinis Cruz
> Cc: owasp-dotnet () lists sourceforge net; owasp- 
> london () lists sourceforge net; webappsec () securityfocus com; 
> websecurity () webappsec org
> Subject: RE: [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp- London 
> Chapter meeting on WAF (Web Application Firewalls)
>
> The trick, of course, is that standards in this area are just starting 
> to emerge. So who do you get to do the verification? There is no EAL 
> equivalent for this space, #)3 people will always be able to find 
> someone like Tolley Group to provide whatever verification you want if 
> the fee is right.
>
> We *really* need a standards body to step up and establish/conduct a 
> soup-to-nuts verification plan. An interoperability test would also be 
> nice...
>
> That's MY .02...
>
> -bill
>
>  -----Original Message-----
> From:   MindsX [mailto:mindsx () gmail com]
> Sent:   Mon May 01 06:18:29 2006
> To:     Dinis Cruz
> Cc:     owasp-dotnet () lists sourceforge net; owasp- 
> london () lists sourceforge net; webappsec () securityfocus com; 
> websecurity () webappsec org
> Subject:        [WEB SECURITY] Re: [Owasp-dotnet] Review of Owasp- 
> London Chapter meeting on WAF (Web Application Firewalls)
>
> My $0.02... [I seem to be giving alot away recently]....
>
> 5    c) Where are the published independent security reviews of these
> products? I find amazing that vendors that are selling a 'security 
> product', e.g. a software application (WAF) that protects other 
> software applications (Websites), do not understand the value of 
> hiring independent 3rd party security companies to perform source code 
> security audits to their products (note that the final results of 
> these audits must be published and made available to clients). As 
> discussed during the panel,
>
> > it is probably impossible to create bug/vulnerability free 
> > applications, <
>
> but to NOT perform independent security audits to their code is crazy. 
> Since these vendors are still in the 'Functionality Arms Race' phase 
> of their products. Basically, the development teams are more focused 
> on features, performance and user experience than on Security (and I 
> don't have to tell you how 'secure' apps developed like this tend to 
> be :). Maybe the solution is to put a WAF protecting a WAF protecting 
> a WAF protecting a website :). Note to vendors: If am am wrong in this 
> comment, feel free to prove me wrong and publish the security audits 
> performed on your current product(s).
>
>
> I'm sure that some of the more experienced coders on the planet will 
> disagree with the above...
>
> No mention of the fact that one vendor outright _refused_ to admit 
> that web applications can be made secure - by that I do not mean the 
> underlying code processors, but more the functionality / logic 
> enforcement and input validation....
>
> Nor the fact that they was a hard squeeze on the fact that the same 
> vendors'
> appliance has known bugs....
>
> Hmm... Secure your network by adding more bugs..... or are customers 
> supposed to purchase an extra WAF from a different vendor to protect 
> the original WAF's interface ? anyways...
>
>
> Moreover - how many of the above build upon open-source with out  
> fulfilling
> the requirements of the relative license? [apparently F5 are in the
> clear... or so they say...]
>
> Think the EFF should engage....
>
> MindsX
>
> ---------------------------------------------------------------------- 
> ---
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing business online
> despite security executives' efforts to prevent malicious attacks.  
> This
> whitepaper identifies the most common methods of attacks that we  
> have seen,
> and outlines a guideline for developing secure web applications.
> Download this whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx? 
> id=701300000007t9r
> ---------------------------------------------------------------------- 
> ----


- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------